TMC NEWS

TMCNET eNEWSLETTER SIGNUP

Report Warns Air Traffic Control System Vulnerable to Cyber Terrorism

May 27, 2009 (Congressional Documents and Publications/ContentWorks via COMTEX) --
Washington, D.C. - A federal government report released today confirms that the nation's air traffic control system is vulnerable to cyber attacks and will continue to be as the system is modernized, unless steps are taken to address significant security gaps.

At the request of U.S. Rep. John L. Mica (R-FL) and U.S. Rep. Tom Petri (R-WI), the U.S. Department of Transportation Office of Inspector General (OIG) investigated the security issue as the Federal Aviation Administration continues to develop a satellite-based air traffic control system heavily reliant on commercial software and Internet Protocol (IP)-based technology.

"Our concerns about the cyber security of the U.S. air traffic control system are validated by this report," said Mica, the Republican Leader of the House Committee on Transportation and Infrastructure and the former Chairman of the Subcommittee on Aviation. "Federal Aviation Administration systems are vulnerable to cyber terrorist attacks.

"In recent years, hackers have been able to access FAA systems. Luckily, these attacks have not resulted in any serious damage, but this report confirms that our entire system could be compromised by a similar threat.

"FAA's capability to avert and respond to cyber threats must be strengthened. Any such attack on U.S. transportation systems is serious, but an attack on our aviation system could jeopardize the entire industry and poses a significant threat to safety. Mr. Petri and I have requested a Committee hearing on this issue," Mica said. (see attached letter)
"The threat of hackers interfering with our air traffic control systems is not just theoretical - it has already happened," said Petri, the Subcommittee on Aviation Ranking Member. "Extensive and sophisticated hacking is carried out not only by individuals but also by criminal syndicates and foreign powers. During periods of international tension, we could suddenly find ourselves dealing with crippled civilian aviation. We must regard the strengthening of our air traffic control security as an urgent matter of safety, of great importance to the national economy, and a matter of national security."
While suited to air traffic control (ATC) system modernization, the increased reliance on commercial software and IP-based technologies creates more opportunities for cyber attackers to take advantage of software vulnerabilities to hack into FAA systems. This is particularly concerning as the threat from nation-state-sponsored cyber attacks increases.

In its security audit, the OIG identified 763 high-risk vulnerabilities that may provide an attacker with immediate access into an FAA computer system and could be used to execute remote commands or introduce a virus into the system.

In recent years, similar vulnerabilities have resulted in a partial shutdown of ATC systems in Alaska, allowed hackers access to FAA's administrative network, and compromised personally identifiable information of 45,000 FAA employees.

In addition to the network vulnerabilities identified, the OIG found insufficient monitoring coverage of ATC systems due to lack of cooperation between FAA and DOT's Cyber Security Management Center (CSMC).

Mica added, "The expansion of the CSMC's responsibilities from the Federal Aviation Administration to Department-wide cyber monitoring may have diluted the responsibility of the office and compromised FAA's ability to monitor and deal with cyber security issues. I believe that we need to enhance the FAA's ability to monitor cyber incidents both system-wide and at the facility level.

"We have asked the OIG to continue rigorous oversight of the FAA's and CSMC's implementation of their recommendations and to report regularly on their progress."
The entire report will be available at http://www.oig.dot.gov/.